IT Rules: Content moderation, an alternative

Author: Rohit Kumar
Published: July 16, 2022 in the Economic Times. Full version below. Photo by Jeremy Bezanger on Unsplash
A lot has been written about the proposed amendments to the IT Rules. Many commentators have raised concerns that the rules go beyond the remit of the IT Act and seek more control of content moderation even as challenges are still pending in the courts. There have also been questions about the government setting up Grievance Appellate Committees and whether that will lead to political interference in moderation and censorship of critical voices.

While all of these are pressing concerns that merit deep consideration, there is also a need to examine the likely impact of the proposed rules on businesses – especially India’s digital startups – and the many administrative challenges that their enforcement may entail.

The press note accompanying the amendments explicitly says that the proposed changes are aimed at establishing stronger accountability standards, especially for the larger social media intermediaries who are perceived to be dragging their feet on compliance. The goal is to get all such intermediaries to set up better systems for grievance redressal and address the challenges presented by unlawful and harmful content being uploaded to their platforms. While this is a well-intentioned aim, the legal framework being proposed to fix the problem is likely to present many operational challenges, besides risking the freedom of speech of India’s digital citizens.

An example is the requirement to remove content within 72 hours of complaint if it is unlawful or harmful under the 10 prescribed (and very broadly defined) categories.

This change is specifically meant to address the issue of virality to ensure that the spread of unlawful or harmful content, including misinformation, is curtailed before it causes significant damage. While it is certainly important to cut the circulation of problematic content, the amendment is overzealous in that it extends the requirement to all intermediaries, irrespective of their size or the potential of virality. Content is usually likely to go viral on social media platforms with significant user bases that allow for large scale dissemination and sharing of information. Therefore, it is not necessary that smaller social media platforms or intermediaries such as enterprise communication software, video conferencing services and platforms that allow only one-on-one communication such as matrimony apps be required to implement 72 hour redressal timelines.

Even on large social media platforms, all complaints may not require expeditious redressal if there is limited risk of virality. The government should therefore consider explicitly defining virality in terms of the width of spread and the pace at which information is getting shared. In the event of a complaint, content that crosses prescribed thresholds could be reviewed on priority. Such a provision is likely to help reduce compliance costs and also increase the efficacy of the grievance process.

Another issue to consider is the structure of the Grievance Appellate Committee (GAC). While the creation of an alternative forum of appeals – outside of the already overburdened judicial process – is well-intentioned, if set up in its proposed form, it is likely to encounter several challenges in its functioning.

Given the volume of users on the internet, the GAC is likely to be inundated with an unmanageable number of requests. Intermediaries also have varying terms of use and functionalities, which could make it difficult for the GAC to assess complaints arising from widely varying contexts. For example, content takedown decisions by social media intermediaries are likely to be different from those taken by online marketplaces or enterprise software like Slack, Zoho etc. Decision making in such a situation is likely to be both cumbersome and time-consuming, making the entire exercise administratively expensive and burdensome.

A potential solution to these issues could be a redesigned, tiered intermediary-industry led appellate mechanism that culminates in the judicial system. To reduce distrust between regulators and intermediaries, and to force platforms to apply their terms of service uniformly, Evelyn Douek of the Harvard Law School proposes that intermediaries be required to put a wall between teams handling grievance redressal and those responsible for profitability/ growth and political lobbying. Evelyn’s proposal can be further strengthened by requiring intermediaries to create the first-level appellate committees in-house with independent stakeholders from outside (such as in the case of the Sexual Harassment Act). The second level of appeal could potentially lie with an industry-wide appellate body, though it might be challenging to create a truly independent body that can be insulated from both business interests and political pressures. The final appeal, therefore, must lie with the courts to protect freedom of speech and to insulate the process from interference. This thinking is also reflected in the draft shared by MeitY.

The government could also call for compliance reports on the decisions of appellate bodies to be made publicly available. This is likely to help align incentives for compliance and fairer decision-making.

While policymakers are undoubtedly operating in a challenging environment, the proposed amendments may have several unintended consequences. The government is already consulting stakeholders to overhaul the IT Act in its entirety to equip itself with new tools to deal with the changing tech landscape. Perhaps it is time that this conversation be taken forward at full steam, so that alternative regulatory models can be built ground-up, instead of patchwork through amendments.

The tokenisation regime will affect all businesses that accept cards

Authors: Rohit Kumar and Aishwarya Viswanathan
Published: June 08, 2022 in the Economic Times. RBI has since postponed the deadline to 1st October, 2022.

The payments ecosystem in India is in for a stir. Reserve Bank of India’s no-card-storage directive initiated in March 2020 is set to kick-in from July 1st, 2022. Starting July, both authorised payment aggregators and merchants will not be allowed to store customer card credentials. Instead, transactions will have to be processed through a card ‘token’ – an alphanumeric code unique to every combination of card and merchant.

Industry insiders largely believe that this move to tokenise is well-intentioned. With access to sensitive card information restricted to fewer players in the ecosystem, the likelihood of a data breach is reduced. However, with less than four weeks left for implementation, many maintain that the transition is unlikely to be seamless and will adversely affect both customer experience as well as payment completion rates.

Note: TQH undertook a range of work on ecosystem readiness for tokenisation, including representations to the RBI, panel discussions, technical explainers and opinion pieces. Please scroll down for the links to these pieces.

The payments ecosystem requires sequential interaction between players (merchants, payment aggregators and gateways, card networks, banks) for smooth end-to-end transaction processing. For the tokenisation regime to take shape, it will require the ecosystem as a whole to demonstrate a certain degree of ‘readiness’. As per industry body NASSCOM, this would mean banks managing at least 80% of the cards in circulation to have tokenisation solutions, with stable APIs made available for merchants to integrate with their backend systems. Other bodies such as the Merchant Risk Council add that ‘readiness’ should also mean the ability to simultaneously create and process tokens, while being able to do so at high volumes and across use-cases, especially on days that see heavy traffic such as during e-commerce sales.

Voluntary disclosure on readiness, but hard to verify

So far, a few major card networks, some banks and payment aggregators have stated that they are ready with tokenisation solutions. Some have also indicated that compared to 6 months ago, their systems are much better equipped to handle token provisioning and processing. But while such disclosure by key players is welcome, available information still remains fragmented and superficial; it is also hard to verify. This coupled with the lack of any official information being made available by the RBI is creating a trust-deficit in the ecosystem at large, and more ominously between co-dependent players.

For instance, it is still not clear if the ecosystem is ready to use tokenised transactions for use-cases such as promotional offers and cashbacks. Merchants are also unsure if they’ll be able to process refunds for customers who choose to make online purchases as guests on a website i.e., without saving card details. Since acquiring banks will not be allowed to store customer card data starting July 1st, they may have no means to track transactions to fulfil refund requests in case of guest checkouts.

The anxiety being caused by this information asymmetry is being further aggravated by the ecosystem’s recent experience with RBI’s e-mandate on recurring payments. A media report published in May this year, after 7 months of the e-mandate regulations coming into force, highlighted that success rates for recurring transactions vary between 30-75% and the experience has been extremely damaging for smaller businesses. An important use case that has still not been solved for is international payments; many foreign developers who sell software subscriptions over the internet have found RBI’s compliance requirements cumbersome and have altogether suspended payments from Indian cards.

Unintended consequences

In this regard, it may be worth noting that the tokenisation regime will affect all businesses that accept cards, unlike the e-mandate which was only applicable to those offering subscriptions. Given that we are still seeing disruptions 7-8 months after the e-mandate kicked in, the disruption post-tokenisation may be significantly more widespread than what was previously experienced.

As the deadline approaches, players in the payments ecosystem are finding other ways to cope with the uncertainty. Some are taking pre-emptive steps to avoid disruption and circumvent compliance requirements. For instance – in a first, Apple said that they will stop accepting debit and credit card payments for both app purchases and subscriptions in India, as well as for payments on ad campaigns – a matter of concern for many small businesses who leverage credit to smoothen cash flows and ensure continuity of operations.

At a time when post-pandemic economic activity is slowly picking up pace, the RBI must recognise that forcing compliance in this manner is likely to disincentivise credit usage – a move that could have broader adversarial effects on the economy as a whole.

RBI should demonstrate readiness

The idea of pushing hard for compliance and hoping that the ecosystem will fall in line may not be the best approach to adopt at this time. The RBI needs to demonstrate that the ecosystem is confident of transacting at scale, and across use-cases. As a first step, the central bank must clarify what it considers to be ‘readiness’, and then proactively seek information from ecosystem players to demonstrate the same. Additionally, it must also consider introducing some flexibility in the transition period – perhaps by allowing acquiring banks to store card data till the system stabilizes. This will go a long way in reducing anxiety and ensuring a smooth transition. Moreover, it will guard against other inadvertent consequences for the economy that might stem from impulsive actions by ecosystem players – all of whom are in a haste to comply, no matter the cost.

Related pieces of work

Evaluating Ecosystem Readiness: RBI’s No-Card-Storage Mandate [Medianama, 15 Jun, 2022]

Technical Explainer on Ecosystem Readiness [The Print, 16 Jun, 2022]

Will India Pay for RBI’s hurry [Times of India, 23 Dec, 2021]

Experts weigh in on how RBI’s new digital payment guidelines can impact small businesses [YourStory, 09 Dec, 2021]

The Data Protection Bill puts Indian children at a disadvantage. Here’s how

Over-reliance on parents for consent may curtail internet access for teenagers. The discussion on what is a good age-verification mechanism has been missing from the discourse.
Authors: Aparajita Bharti & Nikhil Iyer
Published: July 02, 2022 in The Economic Times
Imagine a 16-year-old boy getting his first smartphone in a tier-3 city. He has attended school online for two years of the pandemic. He helps his parents download and use new apps. His primary means of shopping is online and he orders for the family.

Contrast this with his 70-year-old grandmother, also a new smartphone user. Like many women of her age, she has had limited formal education and is learning to use messaging and social media apps to keep in touch with her family. Who is likely to be more vulnerable on the internet? And is age, then, a good indicator of a person’s ability to make decisions when it comes to their privacy and safety online?

This is a point of contention for policymakers across the world. Currently, as the Personal Data Protection Bill 2019 stands, any child below 18 years has to effectively obtain consent from their parent(s) or guardian(s) in all cases of their data being processed on the internet. Further, there is a blanket ban on profiling based on children’s data. If this provision remains unchanged, India will be an outlier globally.

In Britain and the US, for instance, parental consent is needed for those below 13, while in China this threshold is at 14. In the EU, the threshold age is 16, with an option for member-states to reduce it to 13. At the other end of the spectrum is Australia. Its Privacy Act, 1988, mentions no age of consent. Instead, consent is valid if the individual has ‘capacity to consent’. Entities handling individuals’ personal information have to decide on a case-by-case basis whether there is capacity to consent and take parental consent if they think fit.

In comparison, the high threshold of 18 years in India is out of touch with reality, and can seriously hamper Indian teenagers from fully experiencing the digital age. Nearly one-third of all internet users in the country were under 18 as of 2020. This number is likely to have increased in the Covid context.

Over-reliance on parents for consent may curtail access for teenagers due to various reasons, including parents’ lack of exposure, gender bias and unhealthy relationships. Further, the discussion on what is a good age-verification mechanism has been missing from the discourse, even as privacy experts concur that it should not itself lead to collection of more personal data and IDs.

Ctrl + Shift to Enter

To resolve this, policymakers could turn to the Convention on the Rights of the Child (CRC), 1989. It exhorts states – their legislative, executive and judicial arms – to act in the ‘best interests of the child’ in all matters pertaining to the realisation of their socioeconomic and political rights. India has upheld the principles of CRC in various legislations, such as the Commission for Protection of Child Rights, 2005, the Right of Children to Free and Compulsory Education, 2009, and the Protection of Children from Sexual Offences, 2012. This approach should also be applied to children’s data protection and privacy.

Britain’s Age-Appropriate Design Code (AADC), in force from September 2021, presents a model. AADC entrusts entities handling children’s data with a positive obligation to give primacy to the interests of the child. It lays down 15 standards, instead of strict dos and don’ts, directing entities to implement ‘age-appropriate’ design. This design should rest on principles of data minimisation, purpose limitation, transparency, avoiding usage of nudge techniques, default settings that safeguard children’s privacy, and so on.

Virtually all entities providing online products or services – apps, programs, websites, connected toys – are covered. AADC acknowledges that the ‘best interests of the child’ may differ on different platforms, depending on each platform’s use-case. For example, risks on a gaming platform may be different than on a video-streaming platform. The code, therefore, encourages platforms to consider their impact on children and build in mitigation strategies.

For example, while evaluating whether and how to process children’s data, entities must consider risks such as physical harm, mental health issues, excessive screen time, exposure to inappropriate content, etc. AADC also gives guidance on different age-verification mechanisms, including self-declaration, artificial intelligence (AI; by assessing usage patterns), third-party verification, and hard identification (through government-issued IDs), which can be applied proportionately to the risks faced by children on the platforms.

While India has a unique socioeconomic context, there are useful lessons from such models. In place of a blanket imposition, the data protection law must make room for a principles-based approach that allows both regulation and innovation to deal with online risks to children. Entrusting all responsibility to adults can prove to be ineffective, given the well-recorded consent fatigue, and lack of understanding among adults themselves.

Instead, regulation must make way for honest conversations among developers, regulators and parents on ‘what constitutes best interests’ of children, and how best can it be enabled on each platform while balancing their security and agency on the internet.

Privacy Policies and Consent are Broken – Here’s How We can Fix Them

Authors: Rohit Kumar & Avi Krish Bedi
Published: June 15, 2022 in The Hindu Business Line
Our data is more valuable than ever. With increased digital penetration, data has undoubtedly unlocked human potential to do a lot more – and efficiently. However, with more data comes a greater risk of misuse, often exemplified by data leaks and the illicit selling of personal data. The discourse on safeguarding our data, including the discussion on the PDP Bill, is emphasizing the primacy of privacy policies and user consent as our key bastions of defense. But, as we become more aware of how businesses and other entities collect, share, and monetize our personal data, we must revisit the structural shortcomings of this approach and consciously work to devise meaningful alternatives to safeguard our privacy and autonomy.

Try recalling the last time you earnestly read through a verbose and jargon-laden privacy policy before consenting to share your data – but don’t beat yourself over being lax about it. Multiple studies have demonstrated that privacy policies and informed consent are broken. They suffer from three behaviourally-linked problems. First, the transparency/ comprehension problem – wherein the verbose legalese used in privacy policies is often incomprehensible to laypeople; this problem is further compounded by low digital literacy in India. Second, the data repurposing problem – where entities do not overtly disclose all the additional purposes for which user data could be used, thereby resulting in ‘function creeps’. And third, the consent fatigue problem – where users, by virtue of having to repeatedly consent to data sharing, are tired of doing so, thereby unwilling to expend the time and effort required to meaningfully consent.

An over-reliance on this approach has led to the prevalence of a binary “tick-the-box” approach to data protection, rendering “informed consent” perfunctory: while users have the choice to share their data, it is far from being a meaningful choice.

Some solutions posit that data collecting entities should remain legally accountable for any breach or misuse of personal data regardless of whether they obtained consent. To give this approach some teeth, a set of inviolable ‘data rights’ are envisaged. However, the problem remains in implementing and enforcing such rights. As it stands, India still does not have a data protection law, and such rights do not have legal grounding. Moreover, it can be difficult and time-consuming to prove infringements. For instance, if my data is used by AI and IoT for purposes other than what I consented to, how would I actually know? And if I somehow found out, will it be straightforward to mount a legal challenge? Moreover, by the time such a matter is adjudicated on, will any recourse offered be enough to offset the harm already done?

If we were to step back and take another look at the problem, we may be able to find some potential alternatives. Many of the core issues around data privacy are also behavioral in nature; users may wish to secure their data but their intention doesn’t always translate into action. So, by nudging human behavior through better design principles we may be able to unlock human-centric design as a potential solution to better data privacy. By placing people rather than the service-contract at the center of this relationship, we can enable better decision-making.

While designing privacy policies, for instance, UI/UX designers should be included at the very outset of the design process. Their inputs should be used to represent privacy policies visually – to show users how their data is going to be collected and utilized if they consent. Studies have shown that visually representing data flows – through short videos / animations – can make users more aware of what happens to their data when they consent, thereby reducing incomprehensibility and increasing transparency, while also tackling consent fatigue. This also has the added benefit of tackling limited literacy and linguistic diversity in a country like India.

Device makers and operating systems can also be encouraged to implement a ‘master privacy preference setting’ on user devices. Effectively, this will allow users to have a master control panel to preconfigure their data sharing preferences – where they can decide the frequency and type of data they are comfortable sharing in the normal course of online activity. And if a user’s master data sharing preferences do not meet the requirements of an app, they can either choose not to use it, or take time to specifically consent to its additional requirements. On the supply side, such a structure would incentivize the app to minimize data collection or even provide a ‘Lite’ version of their app – with basic functionality requiring only essential data from users – to prevent large-scale user drop-off.

Businesses and other entities can also be incentivized to ethically and responsibly collect data by creating a government approved market of accrediting agencies. These accreditors can carry out assessments on an annual basis to evaluate privacy policies and other data collection practices on a range of metrics including data minimization, purpose specificity, etc. – to provide score-based certifications / star ratings. A similar mechanism is also envisaged through the ‘Data Trust score’ in the PDP Bill. If well implemented, it can go a long way in addressing the shortcomings we see in the current context.

Privacy policies today remain complicated and inaccessible for many. There is a case to be made to behaviourally nudge users to invest more energy into comprehending and consenting to how their data is collected and used. Even as our lawmakers work towards devising a robust data protection law, we must also empower people and incentivise businesses to meaningfully safeguard privacy and autonomy in the digital realm – creating a win-win for all in the long term.

India’s road to a digital El-Dorado

Authors: Deepro Guha & Aishwarya Viswanathan
Published: April 29, 2022 in the Mint
As of 2021, India had issued over 1.31 billion digital identity cards via its Aadhaar platform, and over 1.1 billion digital vaccine certificates via its CoWin platform. More recently, its Unified Payments Interface (UPI), crossed the $1-trillion mark in transaction values after it recorded 5 billion transactions in a month for the first time in March 2022.

What makes these numbers come alive is the sheer speed at which these digital platforms have achieved this scale of operation. And while this digitisation journey began in 2010 with Aadhaar to empower Indian citizens, in recent times India has discovered that its home-grown digital solutions can not only be leveraged to further its own development agenda, but also support its wider diplomatic efforts.

Aadhaar’s open architecture that allows for scalability and vendor neutrality has already resulted in several countries approaching India to either replicate the model or at the very least take note of its technology to develop their respective digital ID systems. The most recent development on this front includes a grant to Sri Lanka to implement its own digital ID program, modelled on the Aadhaar experience.

In a similar vein, India’s National Payments Corporation of India (NPCI) – the developer of UPI – is also providing technological assistance through licensing and consulting for building real time payment systems to countries across the world. This is being done to both help countries establish their own payment systems, while also further integrate UPI with international payments infrastructure. So far, Bhutan has adopted UPI standards for its Quick Response (QR) deployment and Nepal has fully deployed the UPI platform – becoming the first country outside of India to do so, and the RBI and the Monetary Authority of Singapore MAS have announced a project to link their respective fast payment systems, UPI and PayNow. In April 2022, BHIM UPI went live across the UAE.

These recent collaborations hint at India’s commitment to nurturing ecosystem efforts to build and strengthen its digital diplomacy. There are two key factors that have enabled India to emerge as a leader in building and exporting such technology.

First, India’s IT sector, with an estimated value of over US$ 150 billion, and an employer of nearly 4.5 million people – has consistently remained a key driver of economic growth. In fact, India’s talent pool in the ICT ecosystem is also increasingly participating in developing and maintaining India’s digital infrastructure. For instance, the Digital Infrastructure for Vaccination Open Credentialing (DIVOC), an open-source vaccine management platform created by a private collective of technologists, eGov Foundation of India, has been leveraged by other nations, including Jamaica, Sri Lanka, Indonesia and the Philippines, to streamline their Covid-19 vaccination process.

Second, India’s strong political will and deliberative policy making – has been crucial in providing high-level direction to steer ecosystem efforts. For instance, Ministry of Electronics and Information Technology’s decisions to incentivize the use of open technology, through Policy on Adoption of Open Source Software, Policy on Open APIs, Policy for Open Standards etc., has expedited the creation of digital public infrastructure and digital public goods. An example of the benefits of such technology is the use of open APIs to leverage the Aadhaar database for providing services like eKYC, DigiSign etc.

The government has also recognized the importance of including diverse stakeholders in the initial decision making for building such digital infrastructure. This is crucial, as these are parts of highly technical ecosystems, and thus require specialized administration, which goes beyond traditional bureaucratic expertise. A prime example of this is the creation of an ONDC Council, which comprises experts from bureaucracy, finance, retail trade, coding etc. Once activated, the Open Network for Digital Commerce (ONDC) will allow various e-commerce entities to showcase their products/services on a common platform, thus potentially introducing greater competition in e-commerce in India.

The governments recognition of the importance of digital public goods led diplomacy also highlights the key role these instruments will play in an emerging new world order.

For example, in light of growing global risks (like wars, pandemics etc.), creation of such infrastructure in areas critical to the functioning of the global economy (like finance), will both increase India’s resilience and further its strategic advantage. This is why in December 2021, a parliamentary panel proposed India building an alternative to the SWIFT network (which has now been used to impose economic sanctions against Russia in retaliation against its invasion of Ukraine).

Furthermore, building indigenous digital solutions that can create interoperable systems between jurisdictions (like UPI), and potentially reduce compliance, transaction costs etc., can garner global goodwill for India. For example, Estonia’s X-Road open software ecosystem, which has recently allowed for cross border data exchange between Estonia and Finland, is a marker in global standard setting and has allowed Estonia to build impressive soft power in the technology domain.

As the world navigates a new wave of rising geopolitical tensions, the need for building resilience while fostering new forms of cooperation becomes more relevant than ever before. In this regard, India’s advances at laying out its own digital Belt and Road have been noteworthy, and something worth keeping our eyes on.

Data Protection Bill: Don’t mule the unicorn

Authors: Aparajita Bharti & Nikhil Iyer
Published: May 19, 2022 in the Economic Times
The Justice Sri Krishna Committee Report on a Free and Fair Digital Economy, which was the basis for the Personal Data Protection Bill, was released in July 2018. Until then, India had 16 unicorns – startups with a valuation of US$ 1 billion or more. Since then, there have been 84 more unicorns (as of May 2022). The upcoming law on data protection, currently under deliberation by the Ministry of Electronics and Information Technology, must create a conducive growth environment so that India’s startup ecosystem keeps thriving.

Broadly speaking, this law will set industry standards for data protection, resulting in enhanced customer trust in the digital economy. However, some provisions in the Personal Data Protection Bill 2019 and the Joint Parliamentary Committee’s (JPC) 2021 report merit a deeper discussion around the implications especially for India’s start-ups.

Startups around the world use various services and plug-ins to conduct their business efficiently, ranging from services that help with sending emails to customers, shipping, marketing, payments, etc. Often, these services are offered by global tech companies, who may be using foreign servers for their purposes, and who send processed data back to India to the concerned startup. Going by the JPC’s suggestions, these entities may need to obtain the DPA’s approval for each contract or scheme to be used for cross-border data transfers, which may deny approval on grounds of ‘public policy’ or ‘state policy’. This is an onerous requirement, which will require substantial resources from both the startups, and the Government. It is especially worrisome as the export-focused Information Technology/ IT enabled Services industries are crucial cogs in India’s growth story. Over half of these exports are to the USA, with another quarter to Europe.

There is also immense uncertainty over how non-personal data (NPD) will be regulated. NPD is data which is stripped of any personally identifiable information or which is anonymised, e.g. weather data, geospatial data, telemetry data, travel data, etc. The ability to process this data in innovative and creative ways, often through proprietary methods is important for startups, for which they invest significant technical and financial resources. Any law which mandates sharing of NPD, is bound to affect their incentives to invest in data collection, storage, analytics, etc., as it will interfere with the companies’ intellectual property rights over their datasets. This provision can also make Indian start-ups less attractive to global funders.

Further, neither does the current Bill, nor the JPC’s suggestions, forbid the Central Government from accessing foreign data once it is in India. This has raised concerns that India may not meet data adequacy requirements – essentially, it may fail to offer adequate protection to data that is imported into India for processing. Indian startups that look to process the world’s data will find these as impediments, as other countries may forbid their companies from sending citizens’ data to India.

Another cause of concern is for start-ups focused on building products for children. According to the Bill, Indian companies creating products and services for children in edtech, gaming, social media, etc. will have to contend with a high age of consent at 18 years, even as other countries allow children to consent to data processing at a much younger age- 13 in the USA, or 16 years, as under the GDPR in Europe. India’s current Bill also puts a blanket ban on profiling children, making customisation of services difficult, e.g., to use AI to offer customised programs for children in a classroom as per their learning abilities – further disincentivising innovation for this target group.

With regulatory ambiguity on key issues, the Indian startup story is at a crossroads today. On the one hand, recent months have indicated that the market is bullish about their prospects, going by the investments they have attracted. Investors have backed startups across a range of sectors – fintech, SaaS, e-commerce, travel, healthcare, education, etc., many of which have become unicorns. On the other hand, by imposing such requirements, we risk tempting Indian founders to register their startups outside India to avoid onerous compliance. An overzealous data protection framework can, therefore, undo decades of progress that the Indian start-up ecosystem has made.

While the Indian government’s aspiration to be a global thought leader in tech regulation is appreciable, straying too far from global benchmarks can have unintended economic consequences. One hopes that the next version of the Bill that the Government brings to Parliament, will take into account the aspirations of India’s entrepreneurs, to whom we are looking to create millions of jobs of the future.

Root out the prejudices in the Hindu Succession Act

We owe it to India’s daughters and their parents the same right to care for each other and be cared for by each other as we have for sons in our society, in life or in death.

Author: Aparajita Bharti
Published: June 03, 2022 in the Hindustan Times
Imagine a married couple without any children. The husband and wife work their whole lives, build their property and stash away savings in a joint bank account – hoping it will help in taking care of their ageing parents. Yet, when they die suddenly, without a will, all of their movable and immovable property is transferred to the husband’s parents. The wife, although economically independent and empowered, fails to provide for her parents because the 1956 Hindu Succession Act (HSA) which applies to 80% of India’s population including Buddhists, Sikhs, and Jains, dictates different schemes of property devolution for men and women if they do not have a surviving spouse or children: All of the husband’s property goes to his natal family, but the women’s property devolves to her in-laws.

Sections 15 and 16 of HSA are a point of contention in two landmark cases, one before the Supreme Court (SC) and another before the Punjab and Haryana High Court. In the first case earlier this year, the SC asked the government for its views. Shockingly, the government backed these provisions, failing to take into account the increased role of women in the economy, vastly changed family structures since 1956, and the blatant gender discrimination that this law legitimises.

On the one hand, we have laws such as The Maintenance and Welfare of Parents and Senior Citizens Act, 2007 which holds ‘all children’ equally responsible for the welfare of their aging parents and based on which successive judgements have emphasized that married daughters are responsible for their parents. On the other hand, we have provisions such as Section 15 in the HSA which systematically take away the right from daughters to provide support for their parents in the event of her untimely death. When the law exhorts daughters to care for their parents at par with sons, it also needs to provide an equal footing to both sons and daughters in the case of devolution of property after their death.

The changing demography adds more urgency to the need for reform. India’s Total Fertility Rate (the number of children an average woman will bear in her life) is 1.6 in urban areas and 2.1 in rural areas, indicating that fewer couples have children, and those who do have fewer children. In addition, the proportion of couples with only two daughters who accepted sterilisation more than doubled from 16% 1992-1993 to 33.6% in 2015-2016 (National Family Health Survey-4/NFHS-4), indicating higher acceptability of daughters as only children than earlier. Further, 42% of women own a house, and 32% of women own land jointly or independently. All these numbers indicate that women now hold more assets, they are the sole providers for their aged parents more often, and they do not leave behind children after their death as often. So, the number of people affected by HSA will only increase over time.

The Hindu Succession Act in its current form perpetuates the belief that women solely belong to their ‘married household’ after their marriage – a commonly cited reason for the preference for a male child as parents consider sons a safer insurance for their old age. No wonder, according to NFHS 5, the number of married people who want more sons than daughters is still several times the number who want more daughters than sons.

A paper published by National Institute of Public Finance and Policy in 2020 examined these provisions in HSA and suggested an amendment along the lines of the Goa Succession, Special Notaries and Inventory Proceeding Act, 2012, and the Indian Succession Act, 1925, which put men and women on par when it comes to devolution of property. The existence of these legislations points to the fact that legal precedents for an equal scheme of devolution already exist and parts of Indian society have already had years of experience with them.

One hopes that taking cognisance of the scholarship available on this topic, the government will revise its stance and bring an amendment to the Hindu Succession Act in the Parliament to correct this injustice. In the meanwhile, one also hopes that progressive states will amend these provisions given that succession is a concurrent subject. In absence of sincere efforts to root out the patriarchal biases from our laws, campaigns such as ‘Beti bachao, Beti padhao’ will fail to change long-held prejudices. We owe it to India’s daughters and their parents the same right to care for each other and be cared for by each other as we have for sons in our society, in life or in death.

Author: Aparajita Bharti is a daughter, also the Founding Partner of The Quantum Hub, a Delhi based policy research and consulting firm

Image credit: Feminism in India

Covid-19: Prioritise gender-responsive recovery

This International Women’s Day is a reminder that we must strive for a gender-inclusive economic recovery and not lose the strides made in women’s empowerment in the last few decades on account of the pandemic

Authors: Sona Mitra, Mayank Mishra & Nikhil Iyer
Published: March 05, 2022 in the Hindustan Times
The Covid-19 pandemic has caused serious economic disruptions. As we celebrate International Women’s Day (IWD), a focus on gender-responsive economic recovery is imperative to counter the disproportionate impact of the pandemic on women, especially in India.

The majority of the working women (around 91%) in India are in informal employment, characterised by job insecurity, income volatility, and the absence of social safety nets that prevent and assuage the impact of economic shocks. According to the State of Working India Report 2021, by December 2020, nearly 47% women suffered a permanent job loss, compared to 7% men.

Even though the Periodic Labour Force Survey (PLFS) 2019-20 reported an improvement in female labour force participation rate (FLFPR) for women aged 15 and above – 30%, against 24.5% and 23.3% the previous two years – scholars have disputed these gains. As per the latest official data, FLFPR had dropped to 21.2% in January-March 2021, with the female unemployment rate increasing to 11.8%, against 10.6% a year ago. (PLFS Quarterly 2021).

The informal sector lacks access or awareness of financial services, new modes of payment banks/platforms, and the requirements needed to access credit. For women workers, the hurdles to access are compounded by a lack of access to smart gadgets and the knowledge of using them.

The pandemic has also severely hit the women-owned MSMEs. The disruption caused by the successive lockdowns has led to a loss of revenue and business discontinuity for MSMEs, including women-owned ones. The Indian entrepreneurial ecosystem is heavily skewed – the last published economic census (2013-14) revealed that women-owned enterprises comprised only 13.8% of the total number of enterprises. Most of them are small businesses. Further, women entrepreneurs in India face issues like lack of skills, training, and support, adversely impacting their professional journey. In such a scenario, the pandemic may push women entrepreneurs out of the market, who may find it harder to return.

For a gender-responsive recovery, targeted and accessible government assistance is important to improve women’s access to jobs and earnings. Moreover, it is not only important to arrest the decline in FLFPR but also sustain the gains made in women’s economic empowerment, which clearly leads to positive spill-over effects on family planning, maternal and child health, investment in child’s education, etc. In this context, we outline a few proposals from our paper on a Gender Responsive and Inclusive Economic Recovery in the COVID-19 Context.

Let us begin with urban employment. There has been a discussion around the need for a national urban employment programme to complement the National Rural Employment Guarantee (MGNREGA) since the later part of 2020.

States such as Tamil Nadu have also implemented similar programmes. The scheme could inbuild minimum workdays guaranteed for women, with mandates on urban local bodies to pursue gender-responsive works and IEC campaigns. Such programmes have the potential in facilitating women back into the labour force.

Women are also securing opportunities in the emerging digital-enabled gig economy, particularly in platform work in the service domain. However, this form of employment is still precarious and needs social security coverage. The Code on Social Security was passed in 2020, which includes mention of platform and gig workers; however, its implementation is yet to be felt. Recent reports suggest 10 crore unorganised workers have registered on the e-Shram portal, of which about eight lakh are gig workers. The Government of India may consider providing incentives for platforms to offset the implementation costs that digital platforms will have to incur to provide social security to their workers.

To prepare women for industry 4.0, India has to provide skilling and training in digital and business skills tailored to the future of work. In line with the government’s priority to bring India online, women should be equipped to exploit the internet’s opportunities. Existing gender resource centres under the National Rural Livelihoods Mission (NRLM) and National Urban Livelihoods Mission (NULM), where women access information on schemes, entitlements, etc. could be upgraded to impart these skills. The PMKVY should include provisions for digital training of young girls.

And finally, prompt action is necessitated to redress the disproportionately (six times) high time Indian women spend on care work, which has worsened during the pandemic and has driven many women to withdraw from the labour force. Therefore, it is imperative that infrastructural provisions that reduce time spent on household chores and enable child and elderly care be provided to women at every nook and corner of the country. This would entail ensuring basic infrastructure such as water supply, road connectivity, energy, and clean fuel access. In addition, the universalisation of creches needs to be approached with utmost seriousness.

Further, as India has one of the worst health/education worker to population ratios, these are areas in which women can potentially find opportunities. Researchers at the Azim Premji University estimate that regularising the jobs of anganwadi workers, Accredited Social Health Activists (ASHA), etc. and filling existing vacancies can create up to 3 million jobs.

As the country strives to get back to normal, the government has an important role in ensuring that women do not get left behind. This IWD is a reminder that we must strive for a gender-inclusive economic recovery and not lose the strides made in women’s empowerment in the last few decades on account of the pandemic.

Authors: Sona Mitra is principal economist, IWWAGE, and Mayank Mishra and Nikhil Iyer are public policy manager, and policy analyst at The Quantum Hub Consulting

Filling the physical gaps in India’s digital push

Non-tech elements like community engagement and governance are important to realise the true potential of India’s digital platforms

Authors: Varad Pande & Rohit Kumar
Published: March 07, 2022 in the Indian Express
A lot has been written about the emphasis on ‘digital’ in the 2022 Union Budget (indeed, the word ‘digital’ was mentioned over 30 times in the Finance Minister’s speech). But one aspect of this emphasis that hasn’t been talked about as much is the importance given in the budget to digital public infrastructure (DPI) – the idea that cross-sectoral ‘digital rails’ like ID, payments and data exchanges when combined with open interconnected data systems in sectors like health, education and social protection, can transform service delivery for ordinary citizens.

India is seen as a global trendsetter in the DPI movement having set up multiple large scale DPIs like Aadhar for ID, UPI for payments and sector specific platforms like DIGIT for eGovernance and DIKSHA for education. Each of these have helped push the frontier of public service delivery in the country.

This year’s budget adds to the growing discourse on DPIs by making four key announcements – in health, an open platform with digital registries, a unique health identity and a robust consent framework; in skilling, a Digital Ecosystem for Skilling and Livelihood (DESH-Stack) to help citizens upskill through online training; a Unified Logistics Interface Platform (ULIP) to streamline movement of goods across various modes of transport; and for travel, an ‘open source’ mobility stack for facilitating seamless travel of passengers.

These announcements are a welcome development. Research by Omidyar Network India and BCG shows that the creation of national digital ecosystems in sectors like health, jobs and skilling, agriculture and justice, can lead to economic opportunities worth 50 lakh crore by 2030. Similar analysis by the Centre for Digital Economy Policy Research (C-DEP) also estimates that national digital ecosystems could add over 5% to India’s GDP.

But even as the potential benefits can be immense, there are important design considerations that we must get right if we are to truly unlock the value of these platforms for the larger good of citizens. One way to think about this is by differentiating between the ‘tech’ and the ‘non-tech’ layers of our digital infrastructure – while India seems to have made significant headway on the ‘tech’ layers, the ‘non-tech’ layers of community engagement and governance still need a lot more work. The combination of these three layers – technology, community and governance – is what is critical to making tech work for everyone. Together they embody what we call the open digital ecosystems (ODE) approach.

To unleash the true potential of India’s ODEs, we need to get the ‘non-tech’ layers right, by prioritising principles around data protection, universal access and accountability. While this presents a large menu, three specific non-tech levers are critical to get right.

First, protecting data of all users and giving them agency over how their data gets used. The passage of a robust Data Protection Bill is imperative. But, we also need to go beyond the mere requirement of ‘consent’ which is the core of data protection legislations. Consent as a construct is insufficient, as anyone who has tried to read privacy policies on their phones knows – it forces you to make a binary choice, in quick time, in an environment of information overload in dense legalese. While this is a tough problem to solve, recent research by the Centre for Social and Behaviour Change (CSBC) suggests that users can be “nudged” to make privacy conscious decisions by providing standardised privacy ratings, presenting privacy policies more visually, and mandating users to stay on the privacy page for at least a few minutes.

Second, it is important to address India’s digital divide when service delivery through tech. Research by ORF, for instance, shows that Indian women are 15% less likely to own a mobile phone, and 33% less likely to use mobile internet services than men. This, and other such disparities including India’s rural-urban divide, can undermine the country’s ODE project and lead to large scale exclusion if not consciously addressed.

So we need a ‘phygital’ approach that leverages multimodal service delivery through both online and offline options and strong grievance redressal mechanisms. Research by Aapti Institute and eGovernments Foundation has shown that leveraging trusted local intermediaries who are embedded in communities — local influencers, grassroots NGOs etc — can significantly improve access to tech platforms for marginalised groups.

Finally, as we push the frontier on digitisation, India must also focus on developing anchor institutions and robust governance frameworks to ensure that its tech infrastructure remains fit for purpose and accountable. Just as Aadhaar is anchored by UIDAI under an Act of Parliament, and the Ayushman Bharat Digital Mission (ABDM) is anchored by the National Health Authority, every new ODE requires an enabling and accountable institutional anchor. These institutions are critical for setting standards, ensuring a level playing field and safeguarding consumer interest while ensuring speedy grievance redressal. The sector-specific institutions also need to be complemented by a national level ‘National ODE Council’ to inform coordinated policies and keep the focus on citizen-centricity.

India has embarked on a unique journey of tech led service delivery at unprecedented scale and speed. From Aadhaar and UPI to DBT and CoWin – India’s tech stacks are grabbing the attention of the world. It is now critical to bring the gaze on to the non-tech layers of the stack, so that the potential of these platforms can be unlocked for every Indian.

Authors: Varad is a Partner at Omidyar Network India and Rohit is a Founding Partner of The Quantum Hub

Bridging the digital divide in education

The NDEAR vision does not build a new “app”; it connects what already exists

Authors: Varad Pande & Aishwarya Viswanathan
Published: January 27, 2022 in the Financial Express
While the pandemic has accelerated education online, it has also exposed a deep digital divide, with more than 30% students not having access to online learning. This has increased the focus on building inclusive solutions in EdTech. A ray of hope in this context is the National Digital Educational Architecture (NDEAR), the blueprint for which was recently released by the government. Set up as a digital pathway to the policy goals envisioned in the National Education Policy, 2020, NDEAR takes on a ‘Open Digital Ecosystem’ approach, where a set of principles, standards, specifications, building blocks and guidelines seek to enable different entities to create elements of the digital education ecosystem. At its core is the principle of interoperability, i.e., enabling disparate education related tech systems to “talk to each other” seamlessly, rather than operating in silos, thereby multiplying the possibilities of impact.

How will this change the life of a student? Here is just one example of how NDEAR could potentially help: Consider a student, Manisha, whose parents are relocating from Bengaluru to Dehradun. Manisha is worried that she may be behind her new peer-group especially as the curriculum of the Uttarakhand state board may be different. Her parents are stressed about completing the paperwork for the school transfer. And teachers in her new school are concerned about how to accommodate her learning needs. NDEAR can help ease this transition in multiple ways. To catch up with the rest of the class, Manisha can access curated learning material specific to her needs via the DIKSHA platform. Her parents, with access to her student ID, can complete the transfer process entirely online in just a few steps, by instantly sharing verifiable school records and test results. As for Manisha’s new teachers, access to her online learning passbook can enable them to have a better understanding of her needs, while being able to support her, for example, in ‘catching up’ on Hindi language skills using online teacher manuals and other personalised tools enabled by NDEAR.

What is unique about NDEAR is that it is not about building a new “app”, but about connecting what already exists, and reimagining how technology can be leveraged to upgrade the entire education ecosystem for deploying tailored EdTech solutions speedily, sustainably and at population scale.

While this tech enabled vision is inspiring, its success or failure will be determined by its implementation. Specifically, we believe that much of the success of the NDEAR tech infrastructure will lie in getting the ‘non-tech’ elements right. There are four fundamental issues that implementers and enablers will have to factor in.

First, it will be important to ensure that NDEAR’s implementation improves and not worsens access to education in the context of India’s digital divide. As per 2019-20 UDISE+ data, only 38.5% of schools across the country had computers and 22.3% of schools had an internet connection. Therefore, it is crucial that the NDEAR vision is supplemented by concerted policy efforts to equip schools with the necessary ICT infrastructure, like Kerala’s KITE enabled interventions. And in the interim, while the tech infrastructure is being built, it will be critical to drive access to NDEAR services through multimodal channels, including television and low-tech mediums such as SMS delivered through basic feature phones, such as in Jharkhand’s DigiSATH initiative which leverages WhatsApp, television, the DIKSHA app as well as offline learning to connect all stakeholders.

Second, to ensure adoption of NDEAR enabled solutions and build the legitimacy of digital learning, it will be important to recognise the role parents play in both monitoring and facilitating their children’s learning, and engage them meaningfully. An attempt has been made in Himachal Pradesh through the government’s e-Samwad application where schools send regular SMS updates to parents to establish a direct channel of communication.

Third, NDEAR will need to ensure that the data rights of children remain secure. The potential of EdTech solutions delivered through NDEAR will depend on their responsible deployment, which would include responsible collection, sharing and processing of data. Since children will never be fully cognisant of the privacy risks that the digital world entails, the compliance with the upcoming Personal Data Protection Bill, with additional safeguards given the target audience of this platform, will be important. There are good frameworks for this both in the United States and the European Union that can be leveraged.

Lastly, given the pace at which digital learning is growing, NDEAR’s development should be firmly anchored in an ‘accountable institution’ that can guide its quick development while providing independent oversight needed for the management of the platform. The proposed National Educational Technology Forum may be a good forum for this, and such an institution should have representation from tech and domain experts as well as teachers and parents to help ensure the NDEAR architecture delivers tech solutions that are truly student-centric.

NDEAR presents an audacious vision to leverage the power of tech to enhance India’s education system. This vision must now be matched with the right non-tech, student-centric enablers and safeguards to achieve its potential.

Authors: Varad works at Omidyar Network India and Aishwarya works at The Quantum Hub